b"   OFFICE OF INSPECTOR GENERAL\n\nAUDIT OF THE MILLENNIUM CHALLENGE\nCORPORATION\xe2\x80\x99S FINANCIAL STATEMENTS,\nINTERNAL CONTROLS, AND COMPLIANCE\nFOR THE PERIOD ENDING\nSEPTEMBER 30, 2013 AND 2012\n\n\nAUDIT REPORT NO. M-000-14-001-C\nDecember 13, 2013\nWASHINGTON, DC\n\n\nFinancial information contained in this report may be privileged. The\nrestrictions of 18 USC 1905 should be considered before any information is\nreleased to the public.\n\x0cOffice of Inspector General\n\n\nDecember 13, 2013\n\n\nMr. Daniel Yohannes\nChief Executive Officer\nMillennium Challenge Corporation\n875 15th Street, NW\nWashington, DC 20005-2203\n\n\nSubject:             Audit of the Millennium Challenge Corporation\xe2\x80\x99s Financial Statements,\n                     Internal Controls, and Compliance for the Period Ending September 30,\n                     2013 and 2012 (Report No. M-000-14-001-C)\n\nDear Mr. Yohannes:\n\nEnclosed is CliftonLarsonAllen LLP\xe2\x80\x99s, final report on the subject audit. The Office of Inspector\nGeneral (OIG) contracted with the independent certified public accounting firm of\nCliftonLarsonAllen LLP, to audit the financial statements of the Millennium Challenge\nCorporation (MCC) for the period ending September 30, 2013. The contract required that the\naudit be performed in accordance with United States Generally Accepted Government Auditing\nStandards, Office of Management and Budget (OMB) Bulletin 14-02, Audit Requirements for\nFederal Financial Statements, and the GAO/PCIE Financial Audit Manual.\n\nThe Independent Auditors expressed an unqualified opinion on MCC\xe2\x80\x99s FY 2013 Financial\nStatements. The report stated that the financial statements referred to above present fairly, in all\nmaterial respects, the net position of MCC as of September 30, 2013, and its net cost, changes\nin net position and budgetary resources for the fiscal year then ended, in conformity with\naccounting principles generally accepted in the United States of America.\n\nIn its audit of MCC\xe2\x80\x99s fiscal year 2013 financial statements the auditor\xe2\x80\x99s identified one issue that\nwas considered a material weakness and three other issues that were considered significant\ndeficiencies. These matters are listed below and are detailed in the auditor\xe2\x80\x99s report.\n\nA deficiency in internal control exists when the design or operation of a control does not allow\nmanagement or employees, in the normal course of performing their assigned functions, to\nprevent, or detect and correct misstatements on a timely basis. A material weakness is a\ndeficiency, or combination of deficiencies, in internal control, such that there is a reasonable\npossibility that a material misstatement of an entity's financial statements will not be prevented,\nor detected and corrected on a timely basis.\nU.S. Agency for International Development\nOffice of Inspector General\n1300 Pennsylvania Ave, NW\nWashington, DC 20523\nhttp://oig.usaid.gov/\n\x0cMaterial Weakness\n\n        Ineffective and Inefficient Integration of Data, Processes, and Controls within the\n        Financial Management Systems (Modified Repeat Finding)\n\nA significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is\nless severe than a material weakness, yet important enough to merit attention by those charged\nwith governance.\n\nSignificant Deficiencies\n\n        Validation Control over Grant Accrual Estimates Needs to be Strengthened ( Modified\n        repeat Finding)\n\n        Monitoring of MCAs Audits Needs to be Strengthened (Modified Repeat Finding)\n\n\n        Information Systems Controls Need Improvement\n\nThe auditors did not note any instance of material non-compliance with laws and regulations.\n\nIn carrying out its oversight responsibilities, the OIG reviewed CliftonLarsonAllen LLP, Internal\nAudit Report and audit documentation. This review, as differentiated from an audit in\naccordance with U.S. Generally Accepted Government Auditing Standards was not intended to\nenable the OIG to express, and we do not express, opinions on MCC\xe2\x80\x99s financial statements, or\ninternal control; or on MCC\xe2\x80\x99s compliance with other laws and regulations. CliftonLarsonAllen\nLLP is responsible for the attached auditor\xe2\x80\x99s report, dated December 11, 2013, and the\nconclusions expressed in the report. However, our review disclosed no instances where\nCliftonLarsonAllen LLP, did not comply, in all material respects, with applicable standards.\n\nTo address the material weakness and significance deficiencies in internal controls reported by\nCliftonLarsonAllen LLP, we are listing below the findings with 11 recommendations to MCC\xe2\x80\x99s\nmanagement:\n\nMaterial Weakness\n\nIneffective and Inefficient Integration of Data, Processes, and Controls within the\nFinancial Management Systems (Modified Repeat Finding)\n\nRecommendations\n\nWith regards to the core financial system, we recommend that MCC:\n\n   1.   Perform a comprehensive review and determine whether the SSP\xe2\x80\x99s financial\n        management system is meeting MCC financial management and reporting needs. As\n        part of this review, management should continue to evaluate whether:\n\n               a. a separate grants management system that focuses on program and financial\n                  administrations that interfaces with the core financial system is needed, or\n\n\n\n\n                                                  3\n\x0c               b. to establish alternatives to recording numerous data lines in the Oracle AP\n                  module which is manual intensive and prone to errors.\n\n   2. Investigate and correct the underlying causes for the system errors and limitations that\n      prevent or delay the recording, processing, and summarizing of accounting transactions.\n      Key issues that remain unresolved should be escalated immediately rather than back-log\n      the problem. MCC should ensure that errors and open tickets are resolved appropriately\n      and timely by the SSP and that routine MCA accounting activities (such as the NA/NA\n      fund transactions) are recorded in Oracle within the specified timeline. Moreover, manual\n      adjusting journal entries should be used for limited transactions like unusual one-time\n      entries or correcting entries.\n\n   3. In collaboration with the SSP, formalize in writing the system\xe2\x80\x99s issues and resolution\n      process. This will include developing a standardized remedy ticket listing with relevant\n      and historical information.\n\n   4. Continue to streamline the Monthly Commitments and Disbursements Report (MCDR)\n      recording and adjustment process. With regards to supervisory reviews, we recommend\n      that MCC:\n\n   5. Implement an effective management review of its accounting and financial reporting\n      processes using the comprehensive review process to ensure that all transactions for\n      the accounting period are accurately and completely reflected in the financial\n      statements, beginning balances agreed to ending balances, and reconciling items are\n      recorded timely. Such management reviews should be performed monthly or quarterly\n      and at year-end timely.\n\n   6. Further review SSP data entries relating to MCA payment processing and related\n      adjustments. Perform reconciliation of AP on a monthly basis and proactively resolve all\n      differences.\n\nSignificant Deficiencies\n\nValidation Control over Grant Accrual Estimates Needs to be Strengthened (Modified\nRepeat Finding)\n\nRecommendations:\n\nWe recommend that MCC:\n\n   7.    Develop and implement a logical and supportable look back validation process to\n        assess the reasonableness of the grant accrual estimate, and then perform a grant\n        accrual look back analysis on a quarterly basis for a sufficient period of time to develop a\n        pattern or trend. The look back analysis and the results should provide MCC sufficient\n        information to explain unusual variances between actual and estimates, or support\n        updating the current grant accrual methodology. Such periodic assessment of the\n        adequacy of the grant accrual methodology should be documented and supported by\n        data analysis. Note that the accrued liability amount is subject to the risks that actual\n        subsequent disbursement amount may be significantly different from management\xe2\x80\x99s\n        estimate. When this occurs, management should further analyze the drivers/factors to\n        ensure the validity and reasonableness of the estimation methodology.\n\n\n\n\n                                                 4\n\x0c   8. Update the Expense Accruals Policy and Procedures to reflect the change in the\n      methodology. At a minimum, the policy and procedures should include the following:\n\n      a. documentation of the procedures and flow of information used in developing grant\n         accrual estimates;\n      b. a discussion of who (position title) is responsible for each step of the estimate as\n         well as the review and approval process followed;\n      c. the model used, the rationale for selecting the specific methodology, and, for\n         programs with sufficient historical data, the degree of calibration within the\n         projected spending model; and\n      d. the sources of information, the logic flow, and the mechanics of the model,\n         including the formulas and other mathematical functions.\n\n   9. Develop audit procedures for the MCA audit to compare spending authority amount\n      granted against actual MCA expenses, and investigate and document significant\n      variances. MCC should maintain a library of historical MCA financial data. This\n      information may be used by MCC to validate or enhance its current methodology.\n\n   10. Continue to enhance the accrual methodology by:\n\n      a. stratifying the MCAs based on variances in their spending rates and/or stages in the\n          compact\xe2\x80\x99s life cycle;\n      b. developing and implementing a process to ensure that compacts that are partially\n         managed by MCC are fully addressed within the grant accrual process.\n      c. addressing situations where the MCA exceeds its quarterly spending authority;\n      d. addressing situations where the compact has expired and there is no spending\n         authority and disbursements are still occurring;\n      e. obtaining detailed document level breakdown of expenses to be used to compare\n         against the accrual estimates;\n      f. reviewing the disbursement patterns by compact to identify those with large\n         fluctuations to determine the cause so that adjustments can be made in developing\n         the spending plan or in how the grant accrual is calculated to improve the accuracy\n         of the grant accrual estimate; and\n      g. other factors as deemed necessary to achieve an acceptable precision of the accrual\n         estimate.\n\nMonitoring of MCA\xe2\x80\x99s Audits Needs to be Strengthened (Modified Repeat Finding)\n\nRecommendation:\n\n   11. Continue the collaboration between the USAID OIG and the MCC management to\n       improve timeliness of the MCA audits; adequacy of the MCA audit procedures;\n       monitoring and reviewing the quality and performance of the MCA audits; and tracking\n       and conducting follow-up of corrective action plans with the MCAs timely.\n\n\n\n\n                                              5\n\x0cInformation Systems Controls Need Improvement (Modified Repeat Finding)\n\nRecommendation:\n\nWe are not repeating our recommendations which are included in the USAID OIG Report titled\n\xe2\x80\x9cAudit of Millennium Challenge Corporation\xe2\x80\x99s Fiscal Year 2013 Compliance with Federal\nInformation Security Management Act of 2002,\xe2\x80\x9d Audit Report M-000-13-005-P, dated\nSeptember 20, 2013.\n\nThe OIG acknowledges MCC\xe2\x80\x99s management decisions for all 11 recommendations. Please\ninform us when final action has been achieved.\n\nWe appreciate the cooperation and courtesies extended to our staff and to the staff of\nCliftonLarsonAllen LLP, during the audit. Please contact Fred Jones at (202) 216-6963, if you\nhave any questions concerning this report.\n\n\n                                                     Sincerely,\n\n                                                          /s/\n                                                     Robert L. Fry\n                                                     Acting Deputy Assistant Inspector General\n                                                     for Audit\n                                                     Millennium Challenge Corporation\n\n\n\n       cc:    Steven Kaufmann, Chief of Staff\n              kaufmannsm@mcc.gov\n\n              Chantale Wong, Vice President of Administration and Finance\n              wongcy@mcc.gov\n\n              Kamran Khan, Vice President of Compact Operations\n              khank@mcc.gov\n\n              Terry Bowie, Chief Financial Advisor\n              tlbowie@mcc.gov\n\n              Eric Redmond, Assistant Deputy Chief Financial Officer\n              redmondeg@mcc.gov\n\n              Monique Ricker, Compliance Officer\n              rickermt@mcc.gov\n\n\n\n\n                                                6\n\x0c                     MILLENNIUM CHALLENGE CORPORATION\n\n                                      September 30, 2013\n\n                                           Table of Contents\n\n\n\nDescription                                                               Page\n\nINDEPENDENT AUDITORS\xe2\x80\x99 REPORT                                                 1\n\n    Exhibit 1 \xe2\x80\x93 Material Weakness                                          1-1\n\n    Exhibit 2 \xe2\x80\x93 Significant Deficiencies                                   2-1\n\n    Exhibit 3 \xe2\x80\x93 Status of Prior Year Audit Findings and Recommendations    3-1\n\n    Exhibit 4 \xe2\x80\x93 Management\xe2\x80\x99s Response to Audit Findings                    4-1\n\x0c                                                                         CliftonLarsonAllen LLP\n                                                                         www.cliftonlarsonallen.com\n\n\n\n\n                                   INDEPENDENT AUDITORS\xe2\x80\x99 REPORT\n\n\nTo the Inspector General\nU.S. Agency for International Development\n\nTo the Board of Directors\nMillennium Challenge Corporation\n\nIn our audits of the fiscal years (FY) 2013 and 2012 financial statements of the Millennium Challenge\nCorporation (MCC), we found:\n\n    \xe2\x80\xa2   The financial statements are presented fairly, in all material respects, in accordance with\n        accounting principles generally accepted in the United States of America (U.S.);\n    \xe2\x80\xa2   One material weakness and three significant deficiencies in internal control over financial\n        reporting; and\n    \xe2\x80\xa2   No instance of reportable noncompliance with certain provisions of laws, regulations, contracts,\n        and grant agreements tested.\n\nThe following sections and Exhibits discuss in more detail: (1) these conclusions, (2) Management\xe2\x80\x99s\nDiscussion and Analysis (MD&A), other required supplementary information (RSI), and other information\nincluded with the financial statements, (3) management\xe2\x80\x99s responsibility, (4) our responsibilities, (5)\nmanagement\xe2\x80\x99s response to findings, and (6) the current status of prior year findings.\n\nREPORT ON THE FINANCIAL STATEMENTS\n\nWe have audited the accompanying financial statements of MCC, which comprise the balance sheets as\nof September 30, 2013 and 2012, and the related statements of net cost and changes in net position,\nand the combined statements of budgetary resources, for the years then ended, and the related notes\nto the financial statements. The objective of our audits was to express an opinion on the fairness of\nthese financial statements.\n\nManagement\xe2\x80\x99s Responsibility for the Financial Statements\n\nMCC management is responsible for the (1) preparation and fair presentation of these financial\nstatements in accordance with accounting principles generally accepted in the U.S., (2) preparation,\nmeasurement, and presentation of the RSI in accordance with accounting principles generally accepted\nin the U.S., (3) preparation and presentation of other information in documents containing the audited\nfinancial statements and auditors\xe2\x80\x99 report, and consistency of that information with the audited financial\nstatements and the RSI; (4) design, implementation, and maintenance of internal control relevant to the\npreparation and fair presentation of financial statements that are free from material misstatement,\nwhether due to fraud or error.\n\n\n\n\n                                                   1\n\x0cAuditors\xe2\x80\x99 Responsibility\n\nOur responsibility is to express an opinion on these financial statements based on our audits. We\nconducted our audits in accordance with auditing standards generally accepted in the U.S. and the\nstandards applicable to financial audits contained in Government Auditing Standards, issued by the\nComptroller General of the United States. Those standards require that we plan and perform the audit\nto obtain reasonable assurance about whether the financial statements are free from material\nmisstatement. We also conducted our audits in accordance with Office of Management and Budget\n(OMB) Bulletin No. 14-02, Audit Requirements for Federal Financial Statements, (OMB Bulletin 14-02).\n\nAn audit of financial statements involves performing procedures to obtain audit evidence about the\namounts and disclosures in the financial statements. The procedures selected depend on the auditors\xe2\x80\x99\njudgment, including the auditors\xe2\x80\x99 assessment of the risks of material misstatement of the financial\nstatements, whether due to fraud or error. In making those risk assessments, the auditor considers\ninternal control relevant to the entity\xe2\x80\x99s preparation and fair presentation of the financial statements in\norder to design audit procedures that are appropriate in the circumstances, but not for the purpose of\nexpressing an opinion on the effectiveness of the entity\xe2\x80\x99s internal control. Accordingly, we express no\nsuch opinion. An audit of financial statements also includes evaluating the appropriateness of\naccounting policies used and the reasonableness of significant accounting estimates made by\nmanagement, as well as evaluating the overall presentation of the financial statements.\n\nWe believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for\nour audit opinion.\n\nOpinion on the Financial Statements\n\nIn our opinion, the financial statements referred to above present fairly, in all material respects, the\nfinancial position of MCC as of September 30, 2013 and 2012, and its net costs, changes in net position,\nand budgetary resources for the years then ended, in accordance with accounting principles generally\naccepted in the U.S.\n\nOther Matters\n\nRequired Supplementary Information\nAccounting principles generally accepted in the U.S. require that MCC\xe2\x80\x99s MD&A and other Required\nSupplementary Information (RSI) be presented to supplement the financial statements. Such\ninformation, although not a part of the financial statements, is required by the Federal Accounting\nStandards Advisory Board (FASAB), who considers it to be an essential part of financial reporting for\nplacing the financial statements in an appropriate operational, economic, or historical context. We have\napplied certain limited procedures to the MD&A and other RSI in accordance with auditing standards\ngenerally accepted in the U.S., which consisted of inquiries of management about the methods of\npreparing the information and comparing the information for consistency with management's responses\nto our inquiries, the financial statements, and other knowledge we obtained during our audit of the\nfinancial statements. We do not express an opinion or provide any assurance on the information\nbecause the limited procedures do not provide us with sufficient evidence to express an opinion or\nprovide any assurance.\n\n\n\n\n                                                    2\n\x0cOther Information\nAll other information exclusive of the financial statements, MD&A and other RSI as listed in the table of\ncontents contains a wide range of information, some of which is not directly related to the financial\nstatements. This information is presented for purposes of additional analysis and is not a required part\nof the financial statements or RSI. The information has not been subjected to the auditing procedures\napplied in the audit of the financial statements, and accordingly, we do not express an opinion or\nprovide any assurance on it.\n\nREPORT ON INTERNAL CONTROL OVER FINANCIAL REPORTING AND ON COMPLIANCE AND OTHER\nMATTERS BASED ON AN AUDIT OF FINANCIAL STATEMENTS PERFORMED IN ACCORDANCE WITH\nGOVERNMENT AUDITING STANDARDS\n\nReport on Internal Control over Financial Reporting\n\nIn planning and performing our audit of the financial statements, we considered MCC\xe2\x80\x99s internal control\nover financial reporting (internal control) to determine the audit procedures that are appropriate in the\ncircumstances for the purpose of expressing our opinion on the financial statements, but not for the\npurpose of expressing an opinion on the effectiveness of MCC\xe2\x80\x99s internal control or on management\xe2\x80\x99s\nassertion on internal control included in the MD&A. Accordingly, we do not express an opinion on the\neffectiveness of MCC\xe2\x80\x99s internal control or on management\xe2\x80\x99s assertion on internal control included in the\nMD&A.\n\nOur consideration of internal control was for the limited purpose described in the preceding paragraph\nand was not designed to identify all deficiencies in internal control that might be material weaknesses or\nsignificant deficiencies and therefore, material weaknesses or significant deficiencies may exist that\nwere not identified. However, we identified certain deficiencies in internal control described below that\nwe consider to be a material weakness and significant deficiencies.\n\nA deficiency in internal control exists when the design or operation of a control does not allow\nmanagement or employees, in the normal course of performing their assigned functions, to prevent, or\ndetect and correct, misstatements on a timely basis. A material weakness is a deficiency, or a\ncombination of deficiencies, in internal control, such that there is a reasonable possibility that a material\nmisstatement of MCC\xe2\x80\x99s financial statements will not be prevented, or detected and corrected on a\ntimely basis. We consider the deficiencies summarized below and described in Exhibit 1 to be a material\nweakness.\n\n                  Ineffective and Inefficient Integration of Data, Processes and Controls within\n                                       the Financial Management Systems\n\nA significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less\nsevere than a material weakness, yet important enough to merit attention by those charged with\ngovernance. We consider the deficiencies summarized below and described in Exhibit 2 to be significant\ndeficiencies.\n\n               Validation Control over Grant Accrual Estimates Needs to be Strengthened\n\n                          Monitoring of MCAs Audits Needs to be Strengthened\n\n\n\n                                                     3\n\x0c                             Information Systems Controls Need Improvement\n\nAlso, as required by OMB Bulletin 14-02, we compared the material weakness identified during the audit\nwith the material weakness included in the MCC\xe2\x80\x99s Federal Managers Financial Integrity Act (FMFIA)\nreport that relate to financial reporting. We noted no exception.\n\nReport on Compliance and Other Matters\n\nAs part of obtaining reasonable assurance about whether MCC\xe2\x80\x99s financial statements are free from\nmaterial misstatement, we performed tests of MCC\xe2\x80\x99s compliance with certain provisions of laws,\nregulations, contracts, and grant agreements that have a direct effect on the determination of material\namounts and disclosures in the financial statements. However, providing an opinion on compliance with\nthose provisions was not an objective of our audit, and accordingly, we do not express such an opinion.\nThe results of our tests disclosed no instances of noncompliance or other matters that are required to\nbe reported in accordance with Government Auditing Standards, issued by the Comptroller General of\nthe United States or OMB Bulletin 14-02.\n\nManagement\xe2\x80\x99s Responsibility for Internal Control and Compliance\n\nMCC management is responsible for (1) evaluating the effectiveness of internal control over financial\nreporting based on criteria established under the FMFIA, (2) providing a statement of assurance on the\noverall effectiveness on internal control over financial reporting, and (3) ensuring compliance with other\napplicable laws, regulations, contracts, and grant agreements.\n\nAuditors\xe2\x80\x99 Responsibilities\n\nWe are responsible for: (1) obtaining a sufficient understanding of internal control over financial\nreporting to plan the audit, (2) testing compliance with certain provisions of laws and regulations that\nhave a direct and material effect on the determination of material amounts and disclosures in the\nfinancial statements and applicable laws for which OMB Bulletin 14-02 requires testing, and (3) applying\ncertain limited procedures with respect to the RSI included with the financial statements.\n\nWe did not evaluate all internal controls relevant to operating objectives as broadly established by the\nFMFIA, such as those controls relevant to preparing statistical reports and ensuring efficient operations.\nWe limited our internal control testing to testing controls over financial reporting. Because of inherent\nlimitations in internal control, misstatements due to error or fraud, losses, or noncompliance may\nnevertheless occur and not be detected. We also caution that projecting our audit results to future\nperiods is subject to risk that controls may become inadequate because of changes in conditions or that\nthe degree of compliance with controls may deteriorate. In addition, we caution that our internal\ncontrol testing may not be sufficient for other purposes.\n\nWe did not test compliance with all laws and regulations applicable to MCC. We limited our tests of\ncompliance to selected provisions of laws and regulations that have a direct effect on the determination\nof material amounts and disclosures in the financial statements and those required by OMB Bulletin 14-\n02 that we deemed applicable to MCC\xe2\x80\x99s financial statements for the fiscal year ended September 30,\n2013. We caution that noncompliance with laws and regulations may occur and not be detected by\nthese tests and that such testing may not be sufficient for other purposes.\n\n\n\n                                                    4\n\x0cMANAGEMENT\xe2\x80\x99S RESPONSE TO AUDIT FINDINGS\n\nManagement\xe2\x80\x99s response to audit findings identified in our report is presented in Exhibit 4. We did not\naudit MCC\xe2\x80\x99s response and, accordingly, we express no opinion on it.\n\nSTATUS OF PRIOR YEAR\xe2\x80\x99S CONTROL DEFICIENCIES AND NONCOMPLIANCE ISSUES\n\nWe have reviewed the status of MCC\xe2\x80\x99s corrective actions with respect to the findings included in the\nprior year\xe2\x80\x99s Independent Auditors\xe2\x80\x99 Report, dated November 12, 2012. The status of prior year findings\nand recommendations is presented in Exhibit 3.\n\nPURPOSE OF THE REPORT ON INTERNAL CONTROL OVER FINANCIAL REPORTING AND THE REPORT ON\nCOMPLIANCE AND OTHER MATTERS\n\nThe purpose of the Report on Internal Control over Financial Reporting and the Report on Compliance\nand Other Matters sections of this report is solely to describe the scope of our testing of internal control\nand compliance and the result of that testing, and not to provide an opinion on the effectiveness of\nMCC\xe2\x80\x99s internal control or on compliance. These reports are an integral part of an audit performed in\naccordance with Government Auditing Standards in considering MCC\xe2\x80\x99s internal control and compliance.\nAccordingly, these reports are not suitable for any other purpose.\n\n\nCLIFTONLARSONALLEN LLP\n\n\n\n\nArlington, Virginia\nDecember 11, 2013\n\n\n\n\n                                                     5\n\x0c                                                EXHIBIT 1\n\n                                         MATERIAL WEAKNESS\n\n\n1. Ineffective and Inefficient Integration of Data, Processes, and Controls within the Financial\n   Management Systems (Modified Repeat Finding)\n\nGAO Standards for Internal Control in the Federal Government states that internal control is not one\nevent, but a series of actions and activities that occur throughout an entity\xe2\x80\x99s operations and on an\nongoing basis. Control activity, which is one of the standards for internal control, may be applied in a\ncomputerized information system environment, or through manual processes. Information system\ncontrol should be installed at an application\xe2\x80\x99s interfaces with other systems to ensure that all inputs are\nreceived and are valid, and outputs are correct and properly distributed. Some control activities include:\ncontrols over information processing, management of human capital, proper execution of transactions\nand events, accurate and timely recording of transactions and events, and appropriate documentation\nof transactions. Monitoring, which is another standard for internal control, is performed continually and\nis ingrained in the agency\xe2\x80\x99s operations. It includes regular management and supervisory activities,\ncomparisons, reconciliations, and other actions people take in performing their duties.\n\nAccounting is a systematic process of identifying, recording, measuring, classifying, verifying,\nsummarizing, interpreting and communicating financial events. These financial events are ultimately\npresented in financial statements through the financial reporting process. Each step in the accounting\nprocess is an integral part of the financial reporting process.\n\nA financial management system includes the core financial system and the financial portions of mixed\nsystems necessary to support financial management, including automated and manual processes,\nprocedures and controls, data, software, and support personnel dedicated to the operation and\nmaintenance of system functions.\n\nMCC continued to design and implement internal control to improve its accounting and financial\nreporting processes. For example, in FY 2013, MCC required the Millennium Challenge Account entities\n(MCAs) to perform and submit monthly reconciliation of compact disbursements report (MCDR) with\nthose recorded in MCC\xe2\x80\x99s financial systems and resolve the identified variances with the MCC\xe2\x80\x99s shared\nservice provider (SSP) timely. In addition, MCC established some accounting transaction models to be\nfollowed when performing routine manual accounting entries to ensure that they are done correctly.\nMoreover, MCC has successfully exported its core system\xe2\x80\x99s trial balance (TB) into a spreadsheet used to\nprepare the financial statements and eliminated significant manual cutting and pasting of the systems\xe2\x80\x99\nTB into the FS spreadsheets. However, MCC continues to face a huge challenge in its accounting and\nreporting processes primarily due to its financial management systems\xe2\x80\x99 limitations, and the sheer\nvolume of financial activities that are complex and require manual attentions and reviews to\ncompensate for the systems\xe2\x80\x99 limitations. As a result, the accounting and financial reporting processes, as\na whole, is inefficient, and the risks that internal controls are not effective to prevent, detect, and\ncorrect errors timely is high, increasing the reasonable possibility of a material misstatement in the\nfinancial statements.\n\n\n\n\n                                                   1-1\n\x0cWe presented all our findings to MCC management in written notices of findings and recommendations\n(NFRs) and obtained their written responses to our NFRs. We have summarized and grouped those\nfindings into systemic issues below:\n\n   a. MCC uses a SSP to process its accounting transactions. The SSP\xe2\x80\x99s core financial system current\n      configurations prevent MCC from recording significant transactions in a systematic and correct\n      manner. Issues with Oracle posting model and related version upgrades continue to exist. Our\n      review of the September 30, 2013 SSP\xe2\x80\x99s open system ticket report, which tracks financial system\n      issues, identified issues that remain unresolved for an unreasonable period of time. Due to the\n      volume and variety of transactional financial events that MCC must record relating to its\n      grantees; MCC frequently has to prepare manual journal vouchers and system\xe2\x80\x99s adjustments at\n      the back end of the transactions to correct errors such as the differences between the a)\n      Purchase Order (PO) and General Ledger (GL) module, b) Accounts Payable (AP) and GL module,\n      c) incorrect postings, d) system module interface errors, and e) others. This system deficiency,\n      combined with MCC and/or SSP\xe2\x80\x99s inadequate and untimely reviews and corrective actions,\n      negatively impact MCC\xe2\x80\x99s ability to record transactions timely, properly, and accurately. Although\n      MCC applied compensating controls to detect and correct these errors, with the sheer volume\n      and complexity of these transactions (automated and manual), there is a high risk that errors\n      will not be detected and corrected timely or not detected at all. Our audit identified instances\n      where this situation occurred. Moreover, this system deficiency results in inefficiencies and\n      negatively impacts MCC\xe2\x80\x99s limited staff resources.\n\n       The government-wide policies and standards issued pursuant to FMFIA, states that agencies are\n       responsible for managing their financial management system even when they utilize a service\n       provider to implement, operate and maintain the systems. Agencies must ensure that their\n       financial management systems meet applicable Federal requirements and are adequately\n       supported throughout the systems\xe2\x80\x99 life cycle. Furthermore, agencies must monitor the service\n       provider\xe2\x80\x99s performance and ensure that service failures are resolved promptly.\n\n   b. Although MCC has made strides in improving its financial reporting process by implementing\n      certain quality control review processes in response to prior year\xe2\x80\x99s findings, much still needs to\n      be done. MCC\xe2\x80\x99s accounting and financial statements preparation process continue to be\n      susceptible to errors even though a number of functionalities have been automated. MCC uses\n      the Oracle federal financial management system (Oracle) to generate its financial statements.\n      Manual journal voucher (JV) entries are posted directly into Oracle to correct errors and/or post\n      adjustments. Oracle then automatically generates the financial statements from these data\n      inputs. Our audit identified instances where MCC missed posting manual journal entries, or\n      posted correcting journal entries that resulted in further errors in Oracle at June 30, 2013 and\n      September 30, 2013. Some of these missing manual journal entries or erroneous correcting\n      journal entries are described in c below.\n\n   c. In reviewing the financial statements and performing our internal control testing, we identified\n      errors and control deficiencies that led us to question the effectiveness and timeliness of\n      supervisory reviews. For example,\n          o Advances balance at June 30, 2013 was overstated by $119 million which was the first\n              quarter accrual that was not reversed in the subsequent two quarters. MCC uses\n              manual journal entry to reverse the accrual. MCC detected and corrected the error in\n              September 2013.\n\n\n                                                 1-2\n\x0c           o   Compact related expenses of approximately $2.4 million from several MCAs were\n               erroneously reported as Accounts Payable due to SSP recording errors within Oracle.\n           o   Undelivered order (UDO) amount disclosed in the notes to the financial statements was\n               erroneously recorded in the \xe2\x80\x9cCompact\xe2\x80\x9d portion of UDO overstating the amount\n               disclosed by $50 million.\n           o   Incorrect cost classification as \xe2\x80\x9cwith the public\xe2\x80\x9d and negative program cost of\n               approximately $1.4 million were presented in the note disclosure due to the absence of\n               a trading partner code being entered in oracle at the time of entry.\n           o   The SSP initiated JVs were not always tracked in the MCC consolidated JV log and did\n               not have approval from authorized MCC personnel.\n           o   MCC does not always validate the propriety of the SSP\xe2\x80\x99s open ticket resolution. The\n               remedy ticket listing maintained to keep track of open ticket system\xe2\x80\x99s issues is overly\n               broad and difficult to know the exact status of any issue without extensive follow-up.\n               Furthermore, issues resolved are removed from the listing without any history tracking;\n               that is, what was the original issue; how was the issue resolved; how extensive was the\n               issue; and whether the resolution corrected the issue.\n           o   JVs have inaccurate or inadequate explanation and/or supporting documentation.\n           o   MCC and the SSP, separately and unknowingly, made correcting entries in an effort to\n               correct same transactions incorrectly posted in Oracle. This resulted in further errors in\n               the accounts that required an extensive effort from both the SSP and MCC to resolve.\n\nRecommendations\n\nWith regards to the core financial system, we recommend that MCC:\n\n   1. Perform a comprehensive review and determine whether the SSP\xe2\x80\x99s financial management\n      system is meeting MCC financial management and reporting needs. As part of this review,\n      management should continue to evaluate whether:\n          a. a separate grants management system that focuses on program and financial\n             administrations that interfaces with the core financial system is needed, or\n          b. to establish alternatives to recording numerous data lines in the Oracle AP module\n             which is manual intensive and prone to errors.\n\n   2. Investigate and correct the underlying causes for the system errors and limitations that prevent\n      or delay the recording, processing, and summarizing of accounting transactions. Key issues that\n      remain unresolved should be escalated immediately rather than back-log the problem. MCC\n      should ensure that errors and open tickets are resolved appropriately and timely by the SSP and\n      that routine MCA accounting activities (such as the NA/NA fund transactions) are recorded in\n      Oracle within the specified timeline. Moreover, manual adjusting journal entries should be used\n      for limited transactions like unusual one-time entries or correcting entries.\n\n   3. In collaboration with the SSP, formalize in writing the system\xe2\x80\x99s issues and resolution process.\n      This will include developing a standardized remedy ticket listing with relevant and historical\n      information.\n\n   4. Continue to streamline the Monthly Commitments and Disbursements Report (MCDR) recording\n      and adjustment process.\n\n\n\n                                                  1-3\n\x0cWith regards to supervisory reviews, we recommend that MCC:\n\n   5. Implement an effective management review of its accounting and financial reporting processes\n      using the comprehensive review process to ensure that all transactions for the accounting\n      period are accurately and completely reflected in the financial statements, beginning balances\n      agreed to ending balances, and reconciling items are recorded timely. Such management\n      reviews should be performed monthly or quarterly and at year-end timely.\n\n   6. Further review SSP data entries relating to MCA payment processing and related adjustments.\n      Perform reconciliation of AP on a monthly basis and proactively resolve all differences.\n\n\n\n\n                                               1-4\n\x0c                                               EXHIBIT 2\n\n                                      SIGNIFICANT DEFICIENCIES\n\n\n1. Validation Control over Grant Accrual Estimates Needs to be Strengthened (Modified Repeat\n   Finding)\n\nMCC reported approximately $1.5 billion in compact grant related expenditures and an accrued grant\nliability of $209 million for expenditures incurred by the Millennium Challenge Accounts (MCAs) but not\nyet paid by MCC at September 30, 2013. MCC applied its new grant accrual methodology for the first\ntime at September 30, 2012.\n\nMCC\xe2\x80\x99s new accrual methodology is calculated based on an MCA\xe2\x80\x99s unused spending authority. MCC uses\nthe MCA\xe2\x80\x99s \xe2\x80\x9cin-house invoices\xe2\x80\x9d as the floor and the spending authority request as the ceiling in\ncalculating the accrued liability. MCA\xe2\x80\x99s in-house invoices are actual invoices held by the MCA waiting to\nbe submitted to the SSP for processing. The spending authority request by MCAs includes expenses that\nwere incurred but not yet reported. MCC approves the quarterly spending authority request in advance\nfor each MCA. The unused spending authority at the end of the quarter is used in the accrual calculation\nfor each MCA. MCC uses the MCA disbursement rate against the spending authority along with the\ndisbursement rates for the last three quarters to determine an average rate. The average rate is then\nsubtracted against 100 percent to arrive at a rate that is applied to the unused spending authority in\ncalculating the grant accrual estimate for the MCA.\n\nIn FY 2013, MCC continues to refine its accrual methodology and started to accumulate data store to\nvalidate its methodology. For example, MCC separately evaluated the accruals for compact agreements\nthat were expiring in FY 2013. Moreover, MCC performed follow-up inquiries with MCAs whose accrual\nestimates were not within their expectations. Through these reviews, MCC notified an MCA and the\nMCC Department of Compact Operations in writing, of spending authority request that seemed to be\nway overstated when compared to the actual results. However, MCC still has not validated some\nsignificant assumptions in its accrual methodology and still needs to continue to develop its historical\ndata store to support its assumptions and validation.\n\nSome of MCC\xe2\x80\x99s bases for validating the reasonableness of the grant accrual was inadequate and could\nnot be supported. For example, MCC is relying on an assumption that in-house invoices and accrued\nexpenses are being paid within the next 30 days in its grant accrual methodology. Given the exceptions\nwe noted in our tests, MCC needs to perform additional validation to ensure that this assumption is still\ncorrect; otherwise, the analysis of the accrual to actual may be off and could impact MCC\xe2\x80\x99s decisions to\nadjust the accrual when such an adjustment may not be warranted. We found evidence that a\nsignificant portion of those costs would not be paid until the following months.\n\nIn addition, although MCC\xe2\x80\x99s current methodology does not require further analysis on a quarter when\nthe difference (in total) between the disbursements and the accrual calculation is less than 10%, our\ntests showed, when we compared quarterly accruals to the subsequent month\xe2\x80\x99s disbursements, that the\nquarterly fluctuations on a number of the MCAs individually were over +/- 50% and as high as +/- 350%.\n\nFASAB Federal Financial Accounting Technical Release (TR) 12, Accrual Estimates for Grant Programs,\nstates that \xe2\x80\x9cAs part of agencies\xe2\x80\x99 internal control procedures to ensure that grant accrual estimates for\n\n\n                                                  2-1\n\x0cthe basic financial statements were reasonable, agencies should validate grant accrual estimates by\ncomparing the estimates with subsequent grantee reporting.\xe2\x80\x9d \xe2\x80\x9cPreparing reliable and timely accrual\nestimates for grant programs must be a joint effort between the budget, financial, and program offices\nat each agency.\xe2\x80\x9d \xe2\x80\x9cAgencies should document and maintain support for the data and assumptions used\nto develop grant accrual estimates. The documentation will facilitate the agency\xe2\x80\x99s review of the\nassumptions, a key internal control, and will facilitate the auditor\xe2\x80\x99s testing of the estimates.\xe2\x80\x9d\n\nIn addition, MCC Expense Accrual Policy and Procedures, dated March 2011, do not reflect the current\ngrant accrual methodology implemented in September 2012. In developing its policy and procedures,\nMCC should include various practical scenarios in its grant accrual calculation, such as how the spending\naccrual ceiling will be determined when compacts are partially managed by MCC; addressing situations\nwhere the compact has expired and there is no spending authority and disbursements are still occurring;\nadvances being included in the spending authority requests and subsequent disbursements as expenses;\nand others.\n\nTR 12 also states that: \xe2\x80\x9cDocumented procedures are important to communicate relevant information on\nthe grant accrual estimation to employees and management as well as other interested parties, such as\nauditors. As an agency experiences employee turnover, these documented procedures can provide vital\ninformation for new employees on how to complete reliable, well supported grant accrual estimates.\nSuch documentation may be used to establish consistent procedures for developing grant accrual\nestimates across grant programs with similar characteristics.\xe2\x80\x9d\n\nRecommendations\n\nWe recommend that MCC:\n\n        7. Develop and implement a logical and supportable look back validation process to assess the\n           reasonableness of the grant accrual estimate, and then perform a grant accrual look back\n           analysis on a quarterly basis for a sufficient period of time to develop a pattern or trend. The\n           look back analysis and the results should provide MCC sufficient information to explain\n           unusual variances between actual and estimates, or support updating the current grant\n           accrual methodology. Such periodic assessment of the adequacy of the grant accrual\n           methodology should be documented and supported by data analysis. Note that the accrued\n           liability amount is subject to the risks that actual subsequent disbursement amount may be\n           significantly different from management\xe2\x80\x99s estimate. When this occurs, management should\n           further analyze the drivers/factors to ensure the validity and reasonableness of the\n           estimation methodology.\n\n        8. Update the Expense Accruals Policy and Procedures to reflect the change in the\n           methodology. At a minimum, the policy and procedures should include the following:\n\n                a. documentation of the procedures and flow of information used in developing grant\n                   accrual estimates;\n                b. a discussion of who (position title) is responsible for each step of the estimate as\n                   well as the review and approval process followed;\n                c. the model used, the rationale for selecting the specific methodology, and, for\n                   programs with sufficient historical data, the degree of calibration within the\n                   projected spending model; and\n\n\n                                                   2-2\n\x0c                d. the sources of information, the logic flow, and the mechanics of the model,\n                   including the formulas and other mathematical functions.\n\n        9. Develop audit procedures for the MCA audit to compare spending authority amount\n           granted against actual MCA expenses, and investigate and document significant variances.\n           MCC should maintain a library of historical MCA financial data. This information may be\n           used by MCC to validate or enhance its current methodology.\n\n        10. Continue to enhance the accrual methodology by:\n\n                a. stratifying the MCAs based on variances in their spending rates and/or stages in the\n                   compact\xe2\x80\x99s life cycle;\n                b. developing and implementing a process to ensure that compacts that are partially\n                   managed by MCC are fully addressed within the grant accrual process.\n                c. addressing situations where the MCA exceeds its quarterly spending authority;\n                d. addressing situations where the compact has expired and there is no spending\n                   authority and disbursements are still occurring;\n                e. obtaining detailed document level breakdown of expenses to be used to compare\n                   against the accrual estimates;\n                f. reviewing the disbursement patterns by compact to identify those with large\n                   fluctuations to determine the cause so that adjustments can be made in developing\n                   the spending plan or in how the grant accrual is calculated to improve the accuracy\n                   of the grant accrual estimate; and\n                g. other factors as deemed necessary to achieve an acceptable precision of the accrual\n                   estimate.\n\n2. Monitoring of MCAs Audits Needs to be Strengthened (Modified Repeat Finding)\n\nOMB Circular A-123, Management Responsibility for Internal Control, states that monitoring the\neffectiveness of internal control should occur in the normal course of business. In addition, periodic\nreviews, reconciliations or comparisons of data should be included as part of the regular assigned duties\nof personnel. Periodic assessments should be integrated as part of management\xe2\x80\x99s continuous\nmonitoring of internal control, which should be ingrained in the agency\xe2\x80\x99s operations. If an effective\ncontinuous monitoring program is in place, it can level the resources needed to maintain effective\ninternal controls throughout the year.\n\nAn adequate monitoring system oversees the design, implementation, and effectiveness of controls in\nmitigating risks. This monitoring system can be structured as an ongoing assessment program (for\ninstance, supervisory reviews of day to day financial operations and reporting) or as a point in time\nprogram when a point in time assessment is required (for instance, MCA audits).\n\nWhen a country is awarded a grant (compact), it sets up its own local MCA accountable entity to\nmanage and oversee all aspects of implementing the compact. The MCAs, as the grantees of MCC\xe2\x80\x99s\nfunds, are responsible for submitting financial, programmatic and compliance documentation to MCC in\naccordance with their compact agreements with MCC and other administrative requirements. MCC, as\nthe grantor, is responsible for reviewing and monitoring the MCA\xe2\x80\x99s compliance with the compact\nagreement and other administrative requirements. MCC needs to continue to strengthen its monitoring\ncontrols over the MCA audits.\n\n\n\n\n                                                  2-3\n\x0cMCAs are required to obtain an annual (or semi-annual as agreed upon) financial audit of the MCC funds\nby an independent auditor. We reviewed the most recent audits for 15 MCAs, which accounted for a\ntotal of 15 MCA audit reports. Similar to last year\xe2\x80\x99s finding, 9 out of 15 (or 60 percent) audit reports\nwere not received timely or were already due but not yet received as of November 15, 2013, our test\ndate. There were 7 audit reports that were submitted late, ranging from 1 month to 4 months late, and\n2 audit reports due but not yet received that were over seven months late as of the test date.\n\nA financial audit of the MCA Fund Accountability Statement conducted by an independent auditor in\naccordance with Government Auditing Standards issued by the Comptroller General of the United\nStates, provides an assurance to MCC that the MCA\xe2\x80\x99s revenues received, costs incurred, and\ncommodities and technical assistance directly procured by the MCC are not materially misstated, and\nthat tests of MCA\xe2\x80\x99s internal control and compliance with compact terms and applicable laws and\nregulations related to MCC funded programs were performed. The MCA financial audit is a key MCC\ninternal control over monitoring of MCA\xe2\x80\x99s control over financial reporting and compliance and its\nreliance on MCA\xe2\x80\x99s financial reports. Accordingly, MCC should ensure that these audits are performed\nand submitted timely, reviewed timely, and corrective actions, if any, are implemented timely.\n\nA timely audit involves the timely engagement of an audit firm by the MCA, an agreed upon timeline\nthat ensures that the deliverables are provided within the deadlines, quality deliverables from the audit\nfirms, and timely responses from the MCA and the audit firms. We understand that both USAID OIG and\nMCC are working together to minimize the delays in the MCA audits, but more can be done to address\nthe root causes of these delays.\n\nRecommendation\n\n        11. Continue the collaboration between the USAID OIG and the MCC management to improve\n            timeliness of the MCA audits; adequacy of the MCA audit procedures; monitoring and\n            reviewing the quality and performance of the MCA audits; and tracking and conducting\n            follow-up of corrective action plans with the MCAs timely.\n\n3. Information Systems Controls Need Improvement (Modified Repeat Finding)\n\nAll business processes today are impacted in some respects by information systems applications,\npolicies, and controls. Information system is key to financial information collection, classification,\nallocations, and reporting.\n\nInformation systems controls must be in place to ensure that critical data, transactions and programs\nare processed in a timely manner. These include controls over MCC\xe2\x80\x99s general support system used to\ngain access to the contractor owned financial applications. Our evaluation of the general and application\ncontrols of MCC\xe2\x80\x99s key information technology infrastructure identified the following control\nweaknesses, taken together, constitute a significant deficiency.\n\nSecurity Management\n\n    \xe2\x80\xa2   MCC needs to strengthen personnel out-processing procedures. MCC personnel exit checklists\n        were not maintained in the Staff Track and Reconciliation System (STARS) for as required in the\n        MCC Exit Policy and Clearance Procedures. Additionally, while the new exit process had been\n        announced and the technology implemented, the process had not been adopted by the\n        stakeholders involved: Human Resources, Contracts, and Office of Security.\n\n\n                                                  2-4\n\x0c   \xe2\x80\xa2   MCC did not properly assess system risks for the fiscal year. For example:\n\n           o      MCC did not have an Authorization to Operate (ATO) for the MCC MIS system, even\n                  though the system is currently in the production environment.\n           o      MCC had not maintained a current ATO for the MIDAS application. The ATO expired on\n                  March 5, 2013, but the system was still in the production environment.\n           o      MCC had not performed an annual risk assessment for the MIDAS or MCC MIS systems.\n\n   \xe2\x80\xa2   MCC needs to ensure all personnel receive security awareness training. MCC did not track users\n       who failed to participate in the daily Tips of the Day. In addition, MCC did not establish a\n       required number of tips a user must view each month or year.\n\n   \xe2\x80\xa2   MCC did not fully implement NIST Special Publication 800-53, Revision 3 into its information\n       system security policies. MCC was in the process of updating the Policy; however, it was not\n       finalized.\n\nContingency Planning\n\n   \xe2\x80\xa2   MCC needs to update the disaster recovery plan to reflect lessons learned. The MCC Disaster\n       Recovery Plan had not been updated to reflect lessons learned from the disaster recovery tests\n       that occurred in December 2012.\n\nAccess Controls\n\n   \xe2\x80\xa2   MCC needs to periodically review network accounts. MCC did not perform quarterly reviews of\n       MCCNet group memberships as required by the MCC Access Control Procedures. In addition,\n       MCC did not review service accounts that had never logged into system.\n\n   \xe2\x80\xa2   MCC needs to strengthen audit and accountability controls. MCC was not reviewing or analyzing\n       domain and server audit records for indications of inappropriate or unusual activity.\n\nConfiguration Management\n\n   \xe2\x80\xa2   MCC needs to strengthen security controls surrounding patch and configuration management.\n       MCC had procedures in place that use vulnerability scanning software to assist in detecting and\n       reporting security vulnerabilities. However, our evaluation identified critical and high\n       vulnerabilities on MCC hosts that MCC did not identify through its scans.\n\n   \xe2\x80\xa2   MCC did not effectively track and maintain their asset inventory. MCC\xe2\x80\x99s asset management is\n       largely a manual process. The manual nature of the asset inventory allowed multiple, incorrect\n       or delayed entries in the asset inventory.\n\n   \xe2\x80\xa2   MCC\xe2\x80\x99s change management procedures did not describe types of changes and levels of testing\n       applied to the changes prior to approval by the Configuration Control Board.\n\nThese findings highlight MCC\xe2\x80\x99s lack of compliance with the NIST publications, OMB Circulars, and FISMA\nrequirements as listed below:\n\nOMB Circular A-130, Management of Federal Information Resources, Appendix III, states \xe2\x80\x9cAgencies shall\nimplement and maintain a program to assure that adequate security is provided for all agency\n\n\n                                                  2-5\n\x0cinformation collected, processed, transmitted, stored, or disseminated in general support systems and\nmajor applications.\xe2\x80\x9d\n\nThe Federal Information Security Management Act of 2002 (FISMA) requires that each agency develop\nan agency-wide information security program that includes:\n\n    \xe2\x80\xa2   Periodic assessments of risk, including the magnitude of harm that could result from the\n        unauthorized access, use, disclosure, disruption, modification, or destruction of information and\n        information systems that support the operations and assets of the organization;\n    \xe2\x80\xa2   Policies and procedures that are based on risk assessments, cost-effectively reduce information\n        security risks to an acceptable level and address information security throughout the life cycle of\n        each organizational information system;\n    \xe2\x80\xa2   Plans for providing adequate information security for networks, facilities, information systems,\n        or groups of information systems, as appropriate;\n    \xe2\x80\xa2   Security awareness training to inform personnel of the information security risks associated with\n        their activities and their responsibilities in complying with organizational policies and\n        procedures designed to reduce these risks;\n    \xe2\x80\xa2   Periodic testing and evaluation of the effectiveness of information security policies, procedures,\n        practices, and security controls to be performed with a frequency depending on risk, but no less\n        than annually;\n    \xe2\x80\xa2   A process of planning, implementing, evaluating, and documenting remedial actions to address\n        any deficiencies in the information security policies, procedures, and practices of the\n        organization;\n    \xe2\x80\xa2   Procedures for detecting, reporting, and responding to security incidents; and\n    \xe2\x80\xa2   Plans and procedures for continuity of operations for information systems that support the\n        operations and assets of the organization.\n\nBy not effectively implementing and enforcing IT policies and procedures, there is an increased risk that\nfinancial and sensitive information may be inadvertently or deliberately misused and may result in\nimproper disclosure or theft without detection.\n\nRecommendation\n\nWe are not repeating our recommendations which are included in the USAID OIG Report titled \xe2\x80\x9cAudit of\nMillennium Challenge Corporation\xe2\x80\x99s Fiscal Year 2013 Compliance with Federal Information Security\nManagement Act of 2002,\xe2\x80\x9d Audit Report M-000-13-005-P, dated September 20, 2013.\n\n\n\n\n                                                   2-6\n\x0c                                              EXHIBIT 3\n\n                      STATUS OF PRIOR YEAR FINDINGS AND RECOMMENDATIONS\n\nAs required by Government Auditing Standards and OMB Bulletin 14-02, we have reviewed the status of\nMCC corrective actions with respect to the findings and recommendations included in MCC\xe2\x80\x99s Report on\nInternal Control for FY 2012. The following analysis provides our assessment of the progress MCC has\nmade through September 30, 2013 in correcting the noted deficiencies.\n\n   FY 2012 Findings         FY 2012 Summary of Recommendations                   FY 2013 Status\n\n I. Material Weakness:   1. Perform a comprehensive review and               Open\n    Ineffective and         determine whether the service provider\xe2\x80\x99s\n    Inefficient             financial management system is substantially\n    Interrelationship       in compliance with the federal financial\n    among Software,         management system\xe2\x80\x99s requirements and\n    Personnel,              meeting MCC financial management and\n    Procedures,             reporting needs. As part of this review,\n    Controls and Data       management should determine if a separate\n    within MCC\xe2\x80\x99s            grants management system that focuses on\n    Financial               program administrations that interfaces with\n    Management              the core financial system is needed.\n    Systems\n                         2. Investigate and correct the causes for the       Open\n                            underlying system errors and limitations that\n                            prevent or delay the recording, processing,\n                            and summarizing of accounting transactions.\n\n                         3. Review USSGL transactions posting models so      Closed\n                            that all routine accounting transactions are\n                            included in the normal accounting processes.\n\n                         4. Hard code key cells in the excel spreadsheets    Closed\n                            used in preparing and generating the financial\n                            statements to prevent unintentional or\n                            inadvertent changes.\n\n                         5. Limit access and ability to make changes to      Closed\n                            the workbook to a few personnel. Assign a\n                            staff and a designate as primarily responsible\n                            and accountable for the workbook.\n\n                         6. Create a log to document changes to the          Closed\n                            workbook, the date of change, the person\n                            making the change, and the changes made.\n\n\n\n\n                                                 3-1\n\x0c                        7. Investigate the use of alternative approaches    Closed\n                           such as the use of a financial statement\n                           generation software tool or other financial\n                           management system that can interface with\n                           the trial balance or the core financial system\n                           and automatically generate the financial\n                           statements.\n\n                       8. Develop a comprehensive financial                 Closed\n                          statements review process that detail specific\n                          review steps performed, results of such\n                          reviews, steps taken to resolve discrepancies\n                          noted, and related management resolution.\n\n                       9. Implement an effective management review          Open\n                          using the comprehensive review process\n                          developed in recommendation 8.\n\n                       10. Cross-train MCC financial staff on the           Open but will be\n                           financial statements preparation process to      reported as management\n                           ensure that there is more than one person        letter comment in FY\n                           knowledgeable and can prepare the financial      2013.\n                           statements.\n\n2. Significant        11. Perform a grant accrual look back analysis on     Open\n   Deficiency:            a quarterly basis for a sufficient period of\n   Validation Control     time to develop a pattern or trend.\n   over Grant Accrual\n   Estimates Needs\n   to be\n   Strengthened\n                      12. Update the Expense Accruals Policy and            Open\n                          Procedures.\n\n                       13. Continue to enhance the accrual                  Open\n                           methodology.\n\n                       14. Develop audit procedures for the MCA audit       Open\n                           to compare authority request amount against\n                           actual expenses.\n\n3. Significant         15. MCC management collaborates with USAID to        Closed\n   Deficiency:             clarify and document management roles,\n   Monitoring              responsibilities, and performance standards\n   Control over            and the USAID OIG oversight roles with\n   Funds Provided to       regards to MCA audits.\n   MCAs Needs\n\n\n                                                3-2\n\x0c  Improvement\n  A. Audit Reports\n                       16. Evaluate resources, capability, and ability to    Closed\n                           monitor and review the quality and\n                           performance of the audits and the audit firms\n                           to track and conduct follow-up of corrective\n                           action plans with the MCAs in a timely\n                           manner.\n\n  B. Final Quarterly   17. Utilize the QFRs and monthly reconciliations      Closed\n Financial Report          as monitoring tools over the MCA\xe2\x80\x99s financial\n (QFR)                     reporting process and MCC\xe2\x80\x99s validation of its\n                           financial records.\n\n                       18. Ensure the MCA reconciliations are provided       Closed\n                           to MCC and reviewed to investigate material\n                           variances and make corrections, if any.\n\n                       19. Require the MCA audit firms to test the           Open but will be\n                           design and effectiveness of the MCA\xe2\x80\x99s             reported as management\n                           internal control over the QFRs and the            letter comment in FY\n                           monthly reconciliation, and to test the           2013.\n                           accuracy of the balances and reconciliation.\n\n                       20. Develop and implement reconciliation              Closed\n                           procedures to complete the reconciliation\n                           between the MCA\xe2\x80\x99s final QFR and MCC\xe2\x80\x99s\n                           records.\n\n                       21. Timely assess the MCA\xe2\x80\x99s need for the              Closed\n                           remaining compact funds so that could be de-\n                           obligated within the timeline in the policy and\n                           procedures after the contract expires.\n\n                       22. Develop and implement a financial                 Closed\n                           management policy that separates the\n                           programmatic close-out process from the\n                           financial close-out process. This policy should\n                           clearly lay out the expected timing for de-\n                           obligation.\n\n4. Significant         23. We did not include recommendations in our         Status of the findings and\n   Deficiency:             audit report. Our recommendations were            recommendations were\n   Information             included in a separate USAID OIG Report           reported separately in\n   Systems Controls        titled \xe2\x80\x9cAudit of Millennium Challenge             USAID OIG Report titled\n   Need                    Corporation\xe2\x80\x99s Fiscal Year 2012 Compliance         \xe2\x80\x9cAudit of Millennium\n   Improvement             with Federal Information Security                 Challenge Corporation\xe2\x80\x99s\n\n\n                                                 3-3\n\x0cManagement Act of 20012,\xe2\x80\x9d Audit Report M-   Fiscal Year 2013\n000-13-001-P, dated November 6, 2012.       Compliance with Federal\n                                            Information Security\n                                            Management Act of\n                                            2002,\xe2\x80\x9d Audit Report M-\n                                            000-13-005-P, dated\n                                            September 20, 2013.\n\n\n\n\n                   3-4\n\x0c                                                        EXHIBIT 4\n\n                                       MANAGEMENT'S RESPONSE TO FINDINGS\n\nMILLENNIUM\nCI-IALLENGI3 CORPORATION\nUNITED STATES OF AMERICA\n\n\n\n\n             December 11, 2013\n\n             Mia Leswing, CAP, CISA, CGFM, Partner\n             CIiftonLarsonAllen, LLP\n             4250 N. Fairfax Drive\n             Suite 1020\n             Arlington, VA 22203\n\n             Robert Fry\n             Acting Deputy Assistant Inspector General!Audit\n             Millennium Challenge Corporation\n             1401 H Street, NW, Suite 770\n             Washington DC 20005\n\n             Dear Ms. Leswing and Mr. Fry:\n\n             In response to the audit findings and recommendations provided in your financial statement\n             audit report MCe has the following comments:\n\n             M(lteri(ll We(lkness: Ineffective (lnd Inefficient Integmtion of D(lt(l, Processes, (lnd\n             Controls within the Fin(lnci(ll M(ln(lgement Systems (Modified Repe(lt Finding)\n\n             Recommendations ii'om the auditors regarding the core financial system:\n\n             1. Perform a comprehensive review and determine whether the SSP's financial management\n                system is meeting MCC financial management and reporting needs. As part of this\n                review, management should continue to evaluate whether:\n\n             2. Investigate and correct the underlying causes for the system enors and limitations that\n                prevent or delay the recording, processing, and summarizing of accounting transactions.\n                Key issues that remain unresolved should be escalated immediately rather than back-log\n                the problem. MCC should ensure that errors and open tickets are resolved appropriately\n                and timely by the SSP and that routine MCA accounting activities (such as the NAINA\n                fimd transactions) are recorded in Oracle within the specified timeline. Moreover, manual\n                adjustingjoumal entries should be used for limited transactions like unusual one-time\n                entries or conecting entries. (Modified repeat recommendation)\n\n                      a. a separate grants management system that focuses on program and financial\n                          administrations that intelfaces with the core financial system is needed, or\n                      b. to establish altematives to recording numerous data lines in the Oracle AP module\n                          which is manual intensive and prone to enors. (Modified repeat recommendation)\n\n\n                                                            4-1\n    875 Fifteenth Street NW I   Washington. DC I   20005-2221 I   p: (202) 521-3600 I f: (202) 521-3700   I www.mcc.gov\n\x0c3. In collaboration with the SSP, formalize in writing the system's issues and resolution\n   process. This will include developing a standardized remedy ticket listing with relevant\n   and historical information. (New recommendation)\n\n4. Continue to streamline the Monthly Commitments and Disbursements Report recording\n   and adjustment process.\n\nRecommendations fi:om the auditors regarding supervisory reviews:\n\n5. Implement an effective management review of its accounting and financial reporting\n   processes using the comprehensive review process to ensure that all transactions for the\n   accounting period are accurately and completely reflected in the financial statements,\n   beginning balances agreed to ending balances, and reconciling items are recorded timely.\n   Such management reviews should be performed monthly or quarterly and at year-end\n   timely. (Modified repeat recommendation)\n\n6. Further review SSP data entries relating to MCA payment processing and related\n   adjustments. Perform reconciliation of AP on a monthly basis and proactively resolve all\n   differences. (New recommendation)\n\nResponse from MCC:\nMCC concurs with recommendation I - 6.\n\nSignificant Deficiency: Validation Control over Grant Accrual Estimates Needs to be\nStrengthened (Modified Repeat Finding)\n\nRecommendations from the auditors:\n\n7. Develop and implement a logical and supportable look back validation process to assess\n   the reasonableness of the grant accrual estimate, and then perform a grant accrual look\n   back analysis on a quarterly basis for a sufficient period of time to develop a pattern or\n   trend. The look back analysis and the results should provide MCC sufficient information\n   to explain unusual variances between actual and estimates, or support updating the\n   current grant accrual methodology. Such periodic assessment of the adequacy of the grant\n   accrual methodology should be documented and suppOlied by data analysis. Note that the\n   accrued liability amount is subject to the risks that actual subsequent disbursement\n   amount may be significantly different fi\xc2\xb7om management's estimate. When this occurs,\n   management should further analyze the drivers/factors to ensure the validity and\n   reasonableness of the estimation methodology. (Modified repeat recommendation)\n\n8. Update the Expense Accruals Policy and Procedures to reflect the change in the\n   methodology. At a minimum, the policy and procedures should include the following:\n   (Modified repeat recommendation\n\n\n\n\n                                          4-2\n\x0c       a. documentation of the procedures and flow of information used in developing grant\n           accrual estimates;\n       b. a discussion of who (position title) is responsible for each step of the estimate as\n           well as the review and approval process followed;\n       c. the model used, the rationale for selecting the specific methodology, and, for\n           programs with sufficient historical data, the degree of calibration within the\n           projected spending model; and\n       d. the sources of information, the logic flow, and the mechanics of the model,\n           including the fonnulas and other mathematical functions.\n\n9. Develop audit procedures for the MCA audit to compare spending authority amount\n   granted against actual MCA expenses, and investigate and document significant\n   variances. MCC should maintain a library of historical MCA financial data. This\n   information may be by MCC to validate or enhance its cunent methodology.\n\n10. Continue to enhance the accrual methodology by:\n       a. stratifying the MCAs based on variances in their spending rates and/or stages in the\n          compact's life cycle;\n       b. developing and implementing a process to ensure that compacts that are partially\n          managed by MCC are fully addressed within the grant accrual process.\n       c. addressing situations where the MCA exceeds its quarterly spending authority;\n       d. addressing situations where the compact has expired and there is no spending\n          authority and disbursements are still occuning;\n       e. obtaining detailed document level breakdown of expenses to be used to compare\n          against the accrual estimates;\n       f. reviewing the disbursement patterns by compact to identify those with large\n          fluctuations to determine the cause so that adjustments can be made in developing\n          the spending plan or in how the grant accrual is calculated to improve the accuracy\n          of the grant accrual estimate.; and\n       g. other factors as deemed necessary to achieve an acceptable precision of the accrual\n          estimate.\n\nResponse from MCC:\nMCC concurs with recommendation 7 - 10.\n\nSignijicant Deficiency: Monitoring of MCAs Audits Needs to be Strengthened (Modijied\nRepeat Finding)\n\nRecommendation fi'om the auditors:\n\n11. Continue the collaboration between the USAID OIG and the MCC management to\n    improve timeliness of the MCA audits; adequacy of the MCA audit procedures;\n    monitoring and reviewing the quality and performance of the MCA audits; and tracking\n    and conducting follow-up of conective action plans with the MCAs timely.\n\nResponse from MCC:\n\n\n\n\n                                       4-3\n\x0cMCC concurs with recommendation 11.\n\nSignificant Deficiency: Information Systems Controls Need Improvement (Modified\nRepeat Finding)\n\nRecommendation from the auditors:\n\n12. Repeat recommendations :!i'om the FISMA RepOlt.\n\nResponse from MCC:\nMCC concurs with recommendations from the FISMA RepOlt.\n\n\nSincerely,\n\n\n\n\n   /s/\n\nChan~in Wong\nVice P.(esident, Administration and Finance and\nChief Financial Officer\n\n\n\n\n                                      4-4\n\x0cU.S. Agency for International Development\n       Office of Inspector General\n       1300 Pennsylvania Ave, NW\n         Washington, DC 20523\n           Tel: (202) 712-1150\n           Fax: (202) 216-3047\n           www.usaid.gov/oig\n\x0c"